wolfSSH Password Leak and Authentication Bypass Vulnerability

A vulnerability in wolfSSH's key exchange state machine can lead to the unintentional disclosure of the client's password, manipulation of signature transmissions, or bypassing user authentication. This issue affects client applications using wolfSSH versions through 1.4.21. The same vulnerability exists in wolfSSH server applications, although no specific attacks on servers have been reported.

Impact

Exploitation of this vulnerability could result in the leakage of client passwords, unauthorized authentication bypass, or the sending of fraudulent signatures during the key exchange process.

Remediation

Users of wolfSSH should update to the latest version or apply the available patch. It is also recommended to update any credentials used. For wolfSSH server applications, the same update or patch application is advised.